security-validation_skill

This skill helps you enforce WordPress security best practices by sanitizing input, validating logic, and escaping output to prevent XSS, CSRF, and SQL
  • Python

13

GitHub Stars

2

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill bobmatnyc/claude-mpm-skills --skill security-validation

  • metadata.json7.3 KB
  • SKILL.md44.6 KB

Overview

This skill provides a security-first WordPress development guide focused on nonces, sanitization, validation, and escaping to prevent XSS, CSRF, and SQL injection. It codifies a three-layer security model—sanitize input, validate business logic, and escape output—into practical, production-ready patterns for plugins and themes. Targeted at WordPress 6.7+ and PHP 8.3+, it delivers concrete code patterns and best practices.

How this skill works

The skill inspects common data flows and applies the three-layer model: sanitize immediately on receipt, validate for application rules, and escape at every output context. It includes nonce patterns for form, URL, and AJAX flows to stop CSRF, plus curated uses of WordPress sanitization functions (sanitize_text_field, wp_kses_post, absint, etc.). The guidance pairs nonce checks with capability checks and shows safe file upload and array sanitization workflows.

When to use it

  • When building admin forms, front-end forms, or AJAX endpoints.
  • When accepting user-provided HTML, files, or URLs for storage or display.
  • When creating links or actions that change server state (delete, update, create).
  • When storing numeric, email, or key-based values from untrusted sources.
  • When writing code that outputs user data into HTML, attributes, JavaScript, or URLs.

Best practices

  • Always sanitize input as the first step (use type-appropriate functions).
  • Validate business logic after sanitization and before processing (e.g., is_email, capability checks).
  • Escape output using context-specific functions (esc_html, esc_attr, esc_url, wp_kses for allowed HTML).
  • Protect state-changing requests with nonces and verify them before processing; combine with current_user_can().
  • Use wp_handle_upload and strict MIME checks for file uploads; sanitize file names and validate types.
  • Prefer unique nonce actions per resource (e.g., delete_post_123) and never rely on nonces alone for authorization.

Example use cases

  • Secure delete links: generate a nonce URL with wp_nonce_url and verify in the admin_action handler before deleting a post.
  • AJAX endpoint: enqueue a script with a created nonce, use check_ajax_referer in the handler, sanitize inputs, then wp_send_json_success/error.
  • Settings form: add wp_nonce_field in the form, verify on submit, sanitize each field with appropriate callbacks, validate values, then save.
  • File upload: verify nonce and capability, sanitize filename, validate MIME against an allowlist, call wp_handle_upload, and store the safe URL.
  • Rich content input: allow safe tags with wp_kses_post or define custom allowed tags via wp_kses, then escape when re-displaying if needed.

FAQ

By default a nonce is time-limited (about 24 hours total window). They should not be used as long-term authentication or stored for extended use.

Do I need to sanitize and escape if I validated input?

Yes. Validation checks business rules but may not neutralize dangerous characters—sanitize on input and escape on every output context.

Which escaping function should I use for HTML attributes?

Use esc_attr() for attribute values, esc_html() for plain HTML text, and esc_url() for URLs; choose based on the output context.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational